Access Control Lists
Introduction
Access Control Lists are a feature of the Linux file system that extend the traditional Unix file permissions to allow more precise control for specific users or groups.
Setting ACL
Two places where this can be useful is for root owned files and for apache. For root owned files it is sometimes desirable to give another user access (such as the kcc user) and with traditional Unix file permissions this is only possible by giving all users access. For example, to give the specific user kcc read access to the apache error log, we can do
setfacl -m u:kcc:rx /var/log/httpd
setfacl -m u:kcc:r /var/log/httpd/error_log
This allows the user kcc to access the directory and read the specific file. Of course, only the root user would have permission to do this.
Viewing ACL
To view the ACL settings for a file, first note that ls -l will show extended permissions are available with a + after the standard Unix permissions. The getfacl command can be used to show the detail (and can be used on any file, event where ACL permissions have not been set.
> ls -l /var/log/httpd/error_log -rw-r-----+ 1 root root 299 Jul 6 04:02 /var/log/httpd/error_log > getfacl /var/log/httpd/error_log getfacl: Removing leading '/' from absolute path names # file: var/log/httpd/error_log # owner: root # group: root user::rw- user:kcc:r-- group::r-- mask::r-- other::---
Availability
ACL has been in Linux since 2.4. To use it must be enabled on the file-system mount. Often it will be enabled by default, but if not needs to be explicitly enabled in /etc/fstab and the file system remounted. Even if /etc/fstab just shows the mount as defaults it may already be enabled. For example, on this machine it had to be enabled
[kcc@D-VMSR-MT-BC1 ~]$ cat /etc/fstab /dev/mapper/rootvg-rootvol / ext4 defaults,acl 1 1
It is possible that getfacl and setfacl commands have not been installed. In this case they need to be added with the yum (or equivalent) command.
AIX
Access Control Lists also exist in AIX albeit with different commands. They are not currently supported in KCML.
See also:
ico2png